Windows 10 Smartcard Login versus Windows 7 Smartcard Login

Points of My Scenario:
1. I am admin of 2 newly deployed virtual machines: one Windows 7 Enterprise, and one Windows 10 Enterprise
2. I was successful to configure smartcard logon for the Windows 7 computer, but the same steps (drivers installation and certificate import) are not working for the Windows 10 Enterprise computer.
3. For each computer, both the driver installation (smartcard reader and smartcard) and the certificate import are successful.
4. For both Windows versions (7 and 10 Enterprise), the root CA certificate was [successfully] imported into the Trusted Root Certification Authorities store
5. However, when attempting to login to Windows 10 with smartcard, I get the following error, "An untrusted certification authority was detected while processing the domain controller certificate used for authentication. Additional information may be available in the system event log. Please contact your administrator."

QUESTION: What additional configuration is required on Windows 10 Enterprise so that it accepts the smartcard login just like its Windows 7 Enterprise counterpart?

PS: I can login to BOTH Windows 10 and Windows 7 with local and domain user accounts that don't require smartcards.

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

have you checked the status of the smart card and compared between them certutil -v -scinfo

waltforbesSenior IT SpecialistAuthor Commented: 2018-06-22

Hi Chris:
1. It is a single tier CA
2. [Question]: How can I determine if the Windows 10 can do the CRL checks?
3. I have ran "certutil -v -scinfo" successfully, and it correctly reports the smartcard details.

Another thing to do is to export the cert from the smart card (public key only) to a file and then run certutil -verify -urlfetch against it on both the client and the DC. Make sure you're not having trouble checking the CRL or chaining up to the roots.

Does your card chain up to the Common Policy Root CA?

If yes, on your domain controller, find the certificate for the CA in the trusted root store, look at the properties of it, and go to the details tab. You'll see a button at the bottom labeled "Edit Properties"

If you click that button, there will be a list of Certificate Purposes - by default the Smart Card Logon purpose may be disabled. If it is, enable it, and then close all the dialog boxes and check to see if it works or not.

I looked at that usage and it was NOT enabled. I then tested another card (same issuer, same cert chain) and it worked immediately. (I still haven't changed the cert usage on the domain controller)

I then deleted the AD account mapped to my original test card, recreated - and it worked as well.

as btan has said about
certutil -verify -urlfetch will be able to to help you do this for you

Its worth checking via a web browser as well, if you look at the certificate then you can find what the CRL points areScreenshot is of the experts exchange cert, your internal CA may be configured with AD as well as an HTTP point